In the upcoming release of Ubuntu 8.04, codename Hardy Heron, is another improvement to help make the setup and daily operation of one’s computer a much easier thing.

The change surrounds a security feature that, while a necessity, is not well understood by most, and its control is still more misunderstood.  The change is the firewall, simply called ufw, and the operation and maintenance is made easier in the same fashion that the computer programming language COBOL was much more natural, and therefore easier to understand than its competing languages, Fortran, ALGOL, or the dreaded Assembly.

Commands to control follow a simple syntax, which makes it easily worked with, and the abbreviations are less cryptic than those previously used by Unix firewalls.

One of the most compelling features of ufw is the work the authors have put in to make its syntax a little more for human beings than the conventional iptables firewall. Here’s some sample commands.

Firstly, to set the default policy to drop (deny) all connections:
sudo ufw default deny

Then to permit TCP connections on port 22
sudo ufw allow 22/tcp

You can allow or deny any individual port; for instance if you wished to prevent SMTP connections but not modify any other rules you would type
sudo ufw deny 25

This drops all connections coming in to port 25 – whether by TCP or UDP. As you can see from the above suggestion, we can specify whether the rules refer to TCP or UDP on an individual basis, or by omitting to specify both protocol forms are counted.

Additionally, ufw knows the names of all standard protocols. There’s no need for you to be cognoscente that SMTP is commonly port 25. The same command can also be written as
sudo ufw deny smtp

This therefore means you can turn on or off web traffic, e-mail, ftp, telnet, ssh and any and all common ports without having to look up what the underlying port numbers actually are. The service name matches what is listed in /etc/services.

You can also route traffic between source and destination IP addresses like so:
sudo ufw allow proto udp 192.168.0.1 port 53 to 192.168.0.2 port 53

The port numbers need not match if you wish to remap ports; perhaps you want to make your web server hidden from casual browsers; you might thus require people to use port 8080 when viewing it (e.g. http://website:8080); by using ufw in this way you can redirect incoming traffic on port 8080 to port 80 on your web server without actually opening port 80 to external users or exposing that machine to the internet.

Your rules can be easily revoked with commands like this:
sudo ufw delete allow 22/tcp

This now removes the rule we added earlier, to permit inbound traffic on TCP port 22.

It’s not uncommon that you might permit unrestricted traffic from a specific static IP address. ufw caters for this with commands like
sudo ufw allow from 192.168.1.50

And then, of course, it can be revoked with the equivalent delete command:
sudo ufw delete allow from 192.168.1.50

All this said, by default ufw is disabled. That’s because Ubuntu’s team don’t wish to impose a new tool upon users without their explicit acceptance. Further, users may have their own existing firewall system in place – be it iptables or something else.

So, the first thing you’ll need to do with ufw is actually turn it on and make it persistent so it starts upon reboot.

 

Very nice. Just another change for the better by the Ubuntu team - this should be one place where no squabbling amongst the various Linux factions should occur - everyone should simply adopt this.

Comments welcome.

-

Tags: ubuntu, hardy heron, firewall, complicated syntax, syntax rules made easy, natural abbreviation, linux